As I cannot understand how auth0 can define the real custom scopes (i.e: from the Lock, it only shows: scope=openid) while I want to define something such as: myapplication_read, myapplication_write,...and when user login, auth0 will check the user's permission (which ideally is set by me from management page) then if user does not have myapplication_write scope then the access token should only contain scope: [openid, myapplication_read].

However, I don't know auth0 can do it, so I have to do like this. I added in each user's metadata the scope property, e.g: a newly registered user will have empty user_metadata, but an admin user will have:

{
"scopes": [
"myapplication_write"
]
}

And I have to add a rule for this to add this user_metadata containing scopes property to Id token in JWT (I got an opaque access token when user login with Lock which is not JWT, so I cannot use it to decode).

and in the endpoint I add a Spring controller to parse the query string and check the ID_TOKEN which I decode the id token as it is base64 and check the scopes property to know user can have the permission as he wanted from the request parameter (myapplication_write) of above request.

And if the request value does not belong to scopes propery of the id token, I will just deny the request from the user. If it has the request value in scopes property, then I will foward to an internal web application which will process the request.

1 Reply

There are some best practices for user data storage. According to those practices, permissions should be stored in app_metadata instead of user_metadata. Those practices are well documented here. Please walk through them.

For managing permissions, I would like to recommend you to make use of Autho Authorization Extension. Further details can be found here.